Legal Aspects of Beacon Technology Solutions

09Apr

Thanks to precise position determination, Beacon offers customers precise information and services on their smartphone at the point of sale. We explain the beacon technology solutions and iBeacon technology to you!

The new “beacon” in the marketing sky is caused by small radio transmitters, the iBeacons. The word beacon comes from the aviation and shipping industry and means something like radio beacon or beacon. Apple introduced iBeacon last year with the launch of its iOS 7 mobile operating system. It is to expand the location services of their mobile operating system iOS. It starts where GPS and other location systems no longer work, inside buildings.

Beacons are a few centimeters small transmitters that do nothing but send a “beacon” of tiny data packets in close range. This essentially contains three pieces of information: a UUID (Universally Unique Identifier), which serves to uniquely identify the sender, and two pieces of information about the position, major and minor.

In plain language: “I am X and I am in the New York Apple Store (Major) in the iPads (Minor) department.” Apple estimates the range of this beacon to be some 10 meters. The maximum range defines the boundary between entering and leaving the active area. There are four zones within this area: Immediate = The receiver is very likely to be a few centimeters away from the iBeacon. Near = The distance is approximately 1-3 meters. Far = The signal of the iBeacon is received, but it cannot be determined whether it is in the Near or Immediate zone. Unknown = The distance of the iBeacon cannot be determined at all.

A protocol is used that is based on Bluetooth Low Energy (BLE), a technology that consumes very little energy. And that was about it. That doesn’t sound particularly exciting, especially not revolutionary. It gets really interesting when iBeacons get in contact with a recipient – e.g. B. to a Bluetooth 4.0-capable smartphone on which an appropriate app is installed. If a customer is within the range of a beacon, the app on his smartphone can be used to provide him with location-based offers or information.

Legal aspects of Beacon technology solutions

iBeacons only send information about their identity and their position in the room. They do not collect personal data and are therefore of no legal importance. Data protection issues only become relevant in connection with the data exchange between the server and the app of the provider.

Companies are no doubt responsible for bringing their need for information about existing or potential customers into line with the legal framework. The focus is on transparency and comprehensive information for users. But there is also no doubt that the user is responsible. Of course, they can decide whether to install an app and agree to access various data. If you decide to do this, you should take the time to read the user agreements and license terms in order to make a conscious and knowing decision.

IBeacon technology has the potential to establish itself as one of the standard technologies in the foreseeable future. Market researchers see the positioning of this technology at the POS as having great potential for market growth. And creative minds are already developing composite systems in which, for example, B. Location services such as GPS, WLAN and beacons can be brought together for optimal use. What impact this will have on potential users and on the market is currently not foreseeable. But it is certainly interesting to watch the further development.

What about iBeacons and data protection? Read the interview with Frederick Richter, lawyer and board member of the Data Protection Foundation.

Frederick Richter is President of the Data Protection Foundation in Leipzig. The Data Protection Foundation was founded by the Federal Republic of Germany to strengthen the population’s ability to protect its own data through education and training. PROFESSIONAL SYSTEM asked him about the legal aspects of the new beacon technology solutions.

Mr. Richter, do you see any problems regarding the data protection of users with the current status of the new beacon technology solutions?

As so often, problems with protecting user data also arise with the new iBeacon technology only when several types of data are linked. The current beacon devices only send information about their own location. These data are neither personal nor personal. When looking at the sending beacon alone, there is, therefore, no problem. It can be more difficult if the apps are also viewed on the smartphone addressed by the beacon. Because these can tell the operator of the beacon a lot about the user. The user must always be clear about this so that he can decide whether he wants to continue using the corresponding application on his phone. The providers should therefore clearly communicate what they want to do with the user data.

The networking of everyday objects is the next big thing in the digital world. In addition to networked televisions and refrigerators, intelligent electricity meters are now also part of our everyday life. With the billion-dollar acquisition by Nest, Google is positioning itself on the market for networked devices. Samsung and LG also see great potential in the “Internet of Things” and are already developing their own platforms for the networked home. Market researchers forecast around 26 billion devices connected to the Internet by 2020. In addition to “intelligent” household items, the networking of products in brick-and-mortar retail is particularly interesting for marketing experts. They sense the long-awaited connection between online and offline trade and therefore have high hopes for new technologies. With the so-called Near Field Communication (NFC), retailers are already trying various solutions in this area. However, the goal of customer localization in department stores is not satisfactorily achieved by current technology (RFID, WLAN, infrared). With the so-called beacon technology, the necessary technical standard is now to be created. Beacons use a slimmed-down version of the Bluetooth standard, which uses less energy for data transmission and is therefore also suitable for everyday objects. This future market has not remained hidden from Apple: recently, iBeacon was launched as its own solution. The question for consumers is which data these beacons actually process and whether the technology creates new monitoring software. The following article gives a technical overview and deals with the legal aspects of data protection.

Data protection risk?

In data protection law, a distinction must be made between the beacon as the sender and the receiver program.

1. Beacon operator

Let us first focus on the operator of the beacon. The beacon technology solution itself only sends the identification numbers already mentioned, which can be processed by the receiving devices in a closer radius. Since the beacons are sent by individual objects, there is usually no personal reference within the meaning of Section 3 (1) of the Federal Data Protection Act (BDSG). The beacon itself cannot understand which device receives identification numbers because the data flow is only one-sided. A personal reference would only be conceivable if an object on which the beacon is installed is assigned to a specific person. Comparable to a smartphone ID, a personal reference could be given here if further information (name, email, Facebook profile, etc.) is linked to this date. In his article on iBeacons in the magazine PING, von der Heide describes the example of the iBeacon key fob, which enables the owner to determine the location of his keychain using the app. There would be a relevance to data protection law if additional personal information were added to the key fob.

Conclusion: Since the beacons act as pure transmitters, there is no data protection-relevant processing of personal data. As a rule, the beacon itself also has no personal reference, since it is not individual information about a specific or identifiable person. The only exceptions are a fixed connection between the object with the installed beacon and one person.

2. Receiver program

In contrast to the beacon, the receiver program (usually a smartphone app) processes and evaluates information. Since the app is regularly linked to a user account, personal data is stored and processed. For example, the program receives the information that the user was in the branch of a department store chain at a certain time. Since the exact position within the branch can also be determined by the beacon technology, there are interesting advertising opportunities. So a user could have looked at a certain product. Through tracking with a beacon, the shopkeeper receives the information that the purchase has not been completed (beacon at the checkout was not triggered). In order to still get his goods sold, the information in the app could be used for retargeting on the Internet. Ideally, the user is then directed to the online shop and moved to complete the purchase. Beacon technology thus extends retargeting with an offline channel.

Due to the direct personal reference (app – user account – location – beacon), processing according to German law would in principle only be possible with the consent of the data subject. If the user is aware of the data processing processes when installing an app, a legal justification could serve (processing to fulfill the contract). This would have to be checked individually based on the concrete implementation.

In any case, the user must be sufficiently informed. According to the Telemedia Act (TMG), users must be adequately informed in advance of the processing processes within a data protection declaration. The owners of the app would therefore have to clarify the purposes for which they are using the location data of the users. Marketing measures would also have to be named. A review by the Bavarian State Office for Data Protection Supervision last year shows that the obligation to provide comprehensive information within a data protection declaration is disregarded in many cases. Nevertheless, entrepreneurs should not put any gap here, but should create trust with their users through the necessary transparency. You can find information on creating such a data protection declaration here.

What should do to ensure beacon data protection?

It becomes particularly critical if the freedom of the user to make decisions about the data concerning him is undermined. This would be conceivable if the Bluetooth low energy technology used by the beacons is activated on the user device and an app is then installed, which secretly sends information to the beacon operator’s server at the request of beacons via this channel. Such abuse of trust would already be sanctioned under applicable data protection law, since the user has not given informed consent. In such legally clear cases, the user is also required to prevent it. He should only get apps from reputable sources, since there he can rather expect that playing with open cards.

Do you see potential development opportunities for beacon technology solutions and its application that could endanger data protection?

So far, smartphone users have a lot in their hands. Because you don’t have to install apps that react to iBeacons and possibly disclose unwanted personal data. However, this self-determination could be jeopardized if the beacon technology is also implemented on the iPhone or smartphone itself, i.e. if the user himself emits the signals that may a. can lead to a very precise indoor location of his person. Then he will have to be better informed about what the technology and offers want to reveal. Here the providers will be required to communicate clearly in order to build trust with customers or potential customers.

Conclusion: Beacon technology gives apps new possibilities for data processing. In addition to the question of legal admissibility (consent or legal basis), the information obligations in particular become interesting for the operator. Here operators have to describe all relevant processing processes with personal reference in order to create the necessary transparency for consumers.